Microsoft Releases Record 15 Security Patches for August

Microsoft rolled out 14 fixes in its August security update Tuesday, bringing the total for the month to 15 (the company released an out-of-band Windows Shell patch August 2).

The 14 new fixes are aimed at plugging 34 vulnerabilities. For the entire August slate of patches, Microsoft lists nine "critical" items and six bulletins deemed "important" to patch.

Of the 14 new security bulletins, 10 address remote code execution (RCE) flaws. The rest are designed to stave off elevation-of-privilege exploits. Various Microsoft products are affected, including Windows, Internet Explorer, Office and the Silverlight multimedia app.

IT pros will have to roll with the punches this time, according to Paul Henry, security analyst at Lumension, but the critical security bulletins take priority.

"This will be a disruptive Patch Tuesday, given the broad range of products impacted and the required restarts," Henry said. "Initial priorities should always be the nine critical vulnerabilities, followed by the remaining balance of important and moderate patches. The balance of patches, while not critical, should not be ignored in today's environment."

Critical Fixes
The first critical item listed for August is for the aforementioned Windows Shell issue for which Microsoft issued an off-cycle security update last week. Redmond says that the update resolves a publicly disclosed vulnerability associated with shortcut files that could allow RCE attacks. The fix affects every supported Windows OS.

Critical fix No. 2 affects every supported Windows OS as well and involves two previously disclosed holes in the "Secure Channel" security package in Windows. The exploit can be triggered if a user browses to a specially crafted Web site, according to Microsoft.

The third critical fix only affects XP, Vista and Windows Server 2003. It resolves a privately reported vulnerability in Microsoft XML Core Services.

The fourth critical item is for Microsoft MPEG Layer-3 audio codecs. Microsoft says that the flaw could enable an RCE attack if a user opens a specially crafted media file.

Next up, the fifth critical item is yet another cumulative Internet Explorer patch. It covers IE 6 through IE 8 on every supported Windows OS.

"The SMB Pool Overflow Vulnerability is potentially the most dangerous vulnerability as it allows unauthenticated attackers to execute arbitrary code on remote machines," said Rapid7 security researcher Josh Abraham. "However, [Microsoft] rated its exploitability index at 2 as Microsoft believes this SMB vulnerability is hard to exploit. But the security community will obviously focus on reverse-engineering this one and may come up with an original way to exploit it."

The seventh critical item is a fix for a vulnerability in the Cinepak video codec. This patch addresses XP, Vista and Windows 7.

Critical fix No. 8 is for Microsoft Word. The patch affects Word in the following Office editions: Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. Additionally, Office 2004, 2008 and Open XML File Format Converter for Mac are covered.

The ninth and final critical fix in the August rollout addresses the Microsoft .NET Framework and Microsoft Silverlight. This patch addresses an RCE exploit affecting Silverlight 2 and Silverlight 3.

Important Fixes
All of the important fixes, except for one, are Windows OS-level patches. The exploits addressed represent a mixed bag. The August patch contains two fixes for RCE exploit considerations and four fixes for elevation-of-privilege vulnerabilities.

The first and second important items affect the Windows kernel. The first item covers every Windows OS except Windows Server 2003. The second item affects every supported Windows OS.

Important item No. 3, meanwhile, only covers XP and Vista. It's designed to fix a privately reported vulnerability in Windows Movie Maker.

The fourth important item covers the Office spreadsheet app Excel. This patch affects Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. On the Mac side of things, Office 2004, 2008 and Open XML File Format Converter for Mac are slated to get this patch.

The remaining two important items are Windows patches covering only Vista, Windows 7 and Windows Server 2008. Important fix No. 5 addresses vulnerabilities in the Transmission Control Protocol and Internet Protocol (TCP/IP) in Windows that could allow elevation of privilege. Important fix No. 6 deals with flaws in the Tracing Feature for Services in Windows. However, this flaw requires that the attacker have valid logon credentials on an affected system to exploit it.

All 15 patches may require a restart.

"This many patches can increase network bandwidth, increase the time for the system to run each patch and require reboots," said Jason Miller, data and security team manager at Shavlik Technologies.

Going forward, there is still a zero-day Windows kernel-level clipboard vulnerability to consider. The flaw, reported by security researchers, is said to affect all versions of Windows. It involves a heap overflow problem, which is more difficult to take advantage of than a traditional buffer overflow, security researchers say. There's no word yet from Microsoft on whether an out-of-band patch will be coming for this vulnerability.

Windows IT administrators with any time left from this mammoth patch can peruse this Knowledge Base article for nonsecurity updates. The updates are delivered via Windows Server Update Services, Windows Update and Microsoft Update services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.